hunt-lateral-movement

Hunt for lateral movement using PsExec, WMI, or similar techniques. Use when proactively searching for attackers moving through your network using admin tools. Searches for service installations, remote process execution, and suspicious network correlations.

Quality

88%

Does it follow best practices?

Impact

—

No eval scenarios have been run

Securityby

Passed

No known issues

Quality

Content

77%

Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.

This is a strong, actionable hunt skill with concrete UDM queries, clear MCP tool invocations, and a well-sequenced multi-step workflow with appropriate escalation paths. Its main weakness is that it's somewhat long for a single SKILL.md file—the query library and key indicators table add bulk that could be externalized. The placeholder documentation table is a nice touch for customization clarity.

Suggestions

Consider moving the detailed UDM query library to a separate reference file (e.g., LATERAL_MOVEMENT_QUERIES.md) and keeping only 1-2 example queries inline to improve progressive disclosure.

Remove the Key Indicators table at the end since it largely duplicates information already conveyed by the queries themselves, improving conciseness.

Dimension	Reasoning	Score
Conciseness	The skill is mostly efficient and avoids explaining basic concepts, but includes some redundancy (e.g., the Key Indicators table at the end largely repeats what's already clear from the queries, and the placeholder table could be more compact). Overall reasonably lean but could be tightened.	2 / 3
Actionability	Provides fully concrete UDM queries that are copy-paste ready, specific MCP tool calls with parameters, and clear instructions for each step. The placeholder table explicitly documents what needs customization, and the queries are executable rather than pseudocode.	3 / 3
Workflow Clarity	The 8-step workflow is clearly sequenced with logical progression from research → query development → execution → correlation → analysis → enrichment → documentation. It includes validation through network correlation (Step 4), enrichment feedback loops (Step 6), explicit escalation paths for confirmed findings, and requires documenting negative results.	3 / 3
Progressive Disclosure	The content is well-structured with clear headers and tables, but it's a fairly long monolithic document (~130 lines of content). The references to other skills/commands (e.g., `/enrich-ioc`, `/find-relevant-case`, `case_event_timeline_and_process_analysis`) are well-signaled, but the inline query library could potentially be split into a separate reference file for better organization.	2 / 3
	Total	10 / 12 Passed

Description

100%

Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.

This is an excellent skill description that clearly defines its niche in threat hunting for lateral movement. It provides specific techniques (PsExec, WMI), concrete search targets (service installations, remote process execution, network correlations), and an explicit 'Use when' clause with natural trigger language. The description is concise, uses third person voice, and would be easily distinguishable from other security-related skills.

Dimension	Reasoning	Score
Specificity	Lists multiple specific concrete actions: 'Hunt for lateral movement using PsExec, WMI, or similar techniques', 'Searches for service installations, remote process execution, and suspicious network correlations.' These are concrete, actionable capabilities.	3 / 3
Completeness	Clearly answers both what ('Hunt for lateral movement using PsExec, WMI...searches for service installations, remote process execution, and suspicious network correlations') and when ('Use when proactively searching for attackers moving through your network using admin tools').	3 / 3
Trigger Term Quality	Includes strong natural keywords users would say: 'lateral movement', 'PsExec', 'WMI', 'admin tools', 'service installations', 'remote process execution', 'network correlations'. These are terms a security analyst would naturally use when looking for this capability.	3 / 3
Distinctiveness Conflict Risk	Highly distinctive niche focused specifically on lateral movement detection using named tools (PsExec, WMI). The combination of threat hunting, lateral movement, and specific admin tool abuse creates a clear, non-overlapping domain unlikely to conflict with other security skills.	3 / 3
	Total	12 / 12 Passed

Validation

90%

Warnings & errors only

Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.

Validation — 10 / 11 Passed

Validation for skill structure

Criteria	Description	Result
frontmatter_unknown_keys	Unknown frontmatter key(s) found; consider removing or moving to metadata	Warning

	Total	10 / 11 Passed

Repository: dandye/ai-runbooks
Commit: 086cbf6

Reviewed: 2 months ago

Table of Contents

Discovery Implementation Validation

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.